Handling Subscriptions

Tokenization means the replacement of a sensitive piece of information (i.e.: credit card number) with a non sensitive one, called Token.

Tokenization and Iframe solutions are available to Enterprise users.

Tokenization is used within Gestpay in order to help merchants to match PCI-DSS requirements, defined by all major credit cards companies in order to protect sensitive data of cardholders.

Merchants, who ask to their customers to register in their online shop, often save the customer’s credit card data in their system.

This behaviour has many advantages, first of which is the fact that the registered buyers will be able to complete their next purchases without the need to enter their card data again.

However, this behaviour might not be compliant with PCI-DSS rules.

Merchants must NEVER store their customers’ cards data into their systems, unless they had been formally certified as PCI-DSS compliant.

In order to offer the same experience to their customers without the need to face heavy certification programs, merchants can take advantage of Tokenization feature of Gestpay, combined with IFrame solution.

With Tokenization, a merchant will be able to remotely store credit card data in Gestpay archives and receive a Token in answer; the merchant will save the received Token in its system instead of the credit card data.

For the next purchases, the merchants will send to Gestpay the Token instead of the credit card number.

Gestpay will retrieve the credit card number from its archives starting from the Token and it will complete the transaction.

Merchants will request and obtain new Tokens within the IFrame architecture, and they will use previously generated Tokens within the Server-Server architecture.

Therefore it is advisable for merchants, before they begin to work with Gestpay Tokens, to read both IFrame and Server-to-Server sections.

Token generation during payments in IFrame architecture

It is very simple to request and obtain a new Token during a transaction with IFrame architecture. The involved phases are the first (encryption of transaction data) and the last (decryption of Gestpay answer).

In order to request a new Token, the merchant’s system must set a value for requestToken in the call to Encrypt method of WsCryptDecrypt web service. Next chapter describes which values must be used.

Here is an example Encrypt request:

<Encrypt><shopLogin>9000001</shopLogin><uicCode>242</uicCode><amount>985</amount><shopTransactionId>34az85ord19</shopTransactionId><!-- standard way to retreive the token --><requestToken>MASKEDPAN</requestToken></Encrypt>

In order to receive the Token data, the merchant’s system must read the values of Token, TokenExpiryMonth and TokenExpiryYear in the response of Decrypt method of WsCryptDecrypt web service.

Token will contain the value that the merchant’s system will use in the future. TokenExpiryMonth and TokenExpiryYear will not be used in the communication with Gestpay: they can be useful for the merchant in order to know till when that Token will be valid.

To get the token from Encrypt, simply add the MASKEDPAN value to requestToken:

<requestToken>MASKEDPAN</requestToken>

It’s possible to create the token in the Encrypt method of WsCryptDecrypt web service even if the transaction is not authorized. To achieve this result it’s necessary to use :FORCED: before the token request:

<requestToken>:FORCED:MASKEDPAN</requestToken>

Token Values

Gestpay can manage two kinds of Tokens: standard Tokens and custom Tokens.

Standard Tokens will be made as masked card numbers.

They will start with the same 2 digits of the card they replace, and they will end with the same 4 digits of the card they replace; they will be 16 characters long. The middle part will be a string made of 10 characters that can be digits or capital letters.

The first 4 characters of this string will be always the same for each merchant (Different merchants will have a different 4 characters substring).

Sharing tokens

A group of shop logins can share a set of tokens.

If a merchant belongs to a group he can use all the tokens of the other merchants of the same group. The token could be updated or deleted from each of the components of the group using the appropriate web service.

The group of merchants is defined and mantained by Gestpay customer care. When a new merchant is added to a group, he can choose to insert in the group all his previous tokens; In the same way, if a merchant leaves a group he can decide to take or leave his tokens in the group.

Tokenization feature is not automatically available to all Gestpay merchants. It must be requested and explicitly enabled by Gestpay customer care.